LibreChat Improper Authorization Vulnerability in Conversation Sharing Feature

A vulnerability in the conversation sharing feature of LibreChat version 0.7.8 allows unauthorized access to users' conversations via the sharing endpoint. This issue arises from inadequate authorization controls, enabling logged-in users to access other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are challenging to brute force, they can be extracted from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits access to conversations through the '/api/share/conversationID' endpoint, which lacks proper authorization checks.

Impact

Exploitation of this vulnerability grants read-only access to another user's conversations, specifically those without valid share URLs created by their owners.

Reproduction

To reproduce this vulnerability, obtain a conversation ID from a user who has not shared it. Then, send a POST request to the '/api/share/conversationID' endpoint with the known conversation ID. This request will create a sharing link for the conversation. Afterward, access the shared conversation through the GET '/api/share/shareID' endpoint, using the share ID received from the previous step. To maintain access, send PATCH requests to the same share ID endpoint, updating the shared link with the latest conversation content.

Remediation

Users can update to LibreChat version 0.7.9-rc1, where this vulnerability has been fixed.